All Zimbra administrators should make sure the
pax package is installed on their Zimbra server. Pax is needed by Amavis to extract the contents of compressed attachments for virus scanning.
pax package is not installed, Amavis will fall-back to using cpio, unfortunately the fall-back is implemented poorly (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra webroot.
For most Ubuntu servers the
pax package should already be installed as it is a dependency of Zimbra. Due to a packaging change in CentOS, there is a high chance
pax is not installed.
You should validate and install
pax on all your systems as follows:
apt install pax
CentOS 7 and derivatives
yum install pax
CentOS 8 and derivatives
dnf install spax
Restart Zimbra using:
sudo su zimbra -
This issue will also be addressed in the next Zimbra patch where we will make
pax a requirement of Zimbra.